What is CloudABI?

CloudABI is a runtime environment for UNIX-like operating systems. Applications built for CloudABI differ from traditional UNIX-like applications in that they do not make use of command-line arguments and environment variables. Instead, they can be launched through a utility called cloudabi-run, which can read configuration options provided in YAML:

$ cat my_webserver.yaml
vhosts:
- domain: cloudabi.org
  ...
worker_processes: 20
max_concurrent_connections: 500
$ cloudabi-run /path/to/webserver/executable < my_webserver.yaml

CloudABI applications can then retrieve these options from within their entry point function (for C/C++: program_main() instead of main()):

#include <argdata.hpp>
#include <program.h>

void program_main(const argdata_t *ad) {
  int worker_processes = 30; // Default value.
  for (auto [key, value] : ad->as_map()) {
    if (key->as_str() == "worker_processes")
      worker_processes = value->as_int<int>();
  }
  ...
}

What is special about the YAML supported by cloudabi-run is that it may contain YAML tags that refer to external resources, such as files, directories on and network sockets:

%TAG ! tag:nuxi.nl,2015:cloudabi/
---
vhosts:
- domain: cloudabi.org
  root_directory: !file
    path: /var/www/cloudabi.org
    ...

These resources are acquired by cloudabi-run and can be extracted by the application as file descriptors, meaning program startup can be simplified.

Direct access to global namespaces is absent from CloudABI entirely, meaning applications cannot open files or connect to systems on the network arbitrarily. In effect, resources specified in the YAML file (and ones derived from them) are the only ones CloudABI applications can use to interact with the outside world. There is no need to design a separate security policy.

The idea behind CloudABI is that we want to work towards a landscape in which applications are strongly sandboxed, testable and reusable by default. It brings the concept of dependency injection to full-size UNIX applications by making use of capability-based security. The goal is to make sandboxing clean and simple, as opposed to being an obstacle.

Using CloudABI

I want to write CloudABI applications in…

It is possible to write software for CloudABI in a number of languages. The articles linked below explain how you can get started with developing software in your language of choice.

If your favorite language is not listed, it means we’re still looking for volunteers to help us add support!

I want to run CloudABI applications on…

By formally defining CloudABI’s system call interface and making the runtime friendly towards embedding, it is possible to run CloudABI executables on multiple operating systems without modification. For example, a CloudABI application compiled on macOS can be run on FreeBSD and Linux as well.

The following articles explain how cloudabi-run can be set up on your operating system of choice.

If your favorite operating system is not listed, it means we’re still looking for volunteers to help us port CloudABI to that system! Use of CloudABI as part of experimental operating systems research is also encouraged.

Projects under the CloudABI umbrella

  • CloudABI
    Specification of the system call layer that CloudABI applications use to interact with the operating system. This specification is automatically converted into documentation and language bindings.
  • cloudlibc
    Standard C library for CloudABI that implements a large part of C11 and POSIX 2008. All features that are incompatible with CloudABI’s security model have been removed, making it easy to determine which parts of software needs to be adjusted to work well with sandboxing.
  • CloudABI Ports
    Collection of recipes for cross compiling Open Source Software for CloudABI. All of these recipes are built and exported as packages in various formats (.deb, .rpm, Homebrew, etc.), which makes them easy to install on your development system.
  • Flower
    A networking daemon that can facilitate network connections between CloudABI (and non-CloudABI) applications. Just like CloudABI itself, it uses a capability-like security model for binding and connecting.
  • Scuba
    Container Runtime Interface daemons for running CloudABI applications directly on top of Kubernetes without the need for Docker containers.
  • Argdata and ARPC
    Serialization format and RPC layer capable of transparently forwarding file descriptors between UNIX processes.
  • CloudABI demo web server
    Example web server for CloudABI, written in C++, making use of Flower for networking.
  • This web site
    Feel free to send pull requests if you can think of ways this page can be improved!

Getting in touch

Discussion regarding CloudABI takes place on various media:

  • IRC
    There is an IRC channel, #cloudabi on EFNet (irc.efnet.org) where active discussions regarding the use and development of CloudABI take place.
  • Google Groups
    A mailing list, cloudabi-devel@googlegroups.com, exists. Its archives can be accessed through Google Groups.
  • GitHub
    Feel free to file issues on GitHub in case you have questions!

The CloudABI project needs your help!

Though a lot has already been achieved since the CloudABI project was founded (2015), the project needs both a larger group of users and developers to flourish. Are you interested helping out? Get in touch! Non-technical contributions to the project (e.g., promotion, design, documentation) are appreciated as well!

CloudABI consists entirely of Free/Open Source Software (FOSS). All of the source code developed as part of the project is released on GitHub under a two-clause BSD license.